List of usage examples for org.bouncycastle.cert.cmp ProtectedPKIMessage verify
public boolean verify(ContentVerifierProvider verifierProvider) throws CMPException
From source file:org.cryptable.pki.communication.PKICMPMessages.java
License:Open Source License
/** * The message to decode a certification response * * @param message//from w w w.ja v a 2 s. c o m * @return response message * @throws IOException * @throws PKICMPMessageException */ PKICMPResponse processResponse(byte[] message) throws IOException, PKICMPMessageException, CertificateException, OperatorCreationException, CMPException, PKIKeyStoreException, ParseException { CertificationResult certificationResult = new CertificationResult(); ProtectedPKIMessage pkiMessage = new ProtectedPKIMessage(new GeneralPKIMessage(message)); /* Verify Signature */ ContentVerifierProvider verifierProvider = new JcaContentVerifierProviderBuilder() .setProvider(pkiKeyStore.getProvider()).build(pkiKeyStore.getRecipientCertificate()); if (!pkiMessage.verify(verifierProvider)) { throw new PKICMPMessageException("E: Verification failed this is an untrusted Message [" + pkiMessage.getHeader().getSender() + "]"); } if (!Arrays.equals(senderNonce, pkiMessage.getHeader().getRecipNonce().getOctets())) throw new PKICMPMessageException( "E: Recipient Nonce in response does not correspond with Sender Nonce in request!"); if (pkiMessage.getHeader().getMessageTime() != null) { pkiKeyStore.verifyCertificate(pkiKeyStore.getRecipientCertificate(), pkiMessage.getHeader().getMessageTime().getDate()); } else { pkiKeyStore.verifyCertificate(pkiKeyStore.getRecipientCertificate(), new Date()); } PKICMPResponse pkicmpResponse = new PKICMPResponse(); pkicmpResponse.setPkiBody(pkiMessage.getBody()); pkicmpResponse.setPkiHeader(pkiMessage.getHeader()); X509CertificateHolder[] x509CertificateHolders = pkiMessage.getCertificates(); JcaX509CertificateConverter jcaX509CertificateConverter = new JcaX509CertificateConverter(); for (X509CertificateHolder x509CertificateHolder : x509CertificateHolders) { pkicmpResponse.getX509CertifificateList() .add(jcaX509CertificateConverter.getCertificate(x509CertificateHolder)); } return pkicmpResponse; }
From source file:org.cryptable.pki.communication.PKICMPMessagesTest.java
License:Open Source License
/** * Test the basic certification request message * * @throws OperatorCreationException/*from w w w . j a v a 2 s . c o m*/ * @throws CertificateEncodingException * @throws IOException * @throws CRMFException * @throws CMPException * @throws CMSException */ @Test public void testCertification() throws OperatorCreationException, CertificateEncodingException, IOException, CRMFException, CMPException, CMSException, ParseException, PKICMPMessageException, NoSuchProviderException, NoSuchAlgorithmException, NoSuchFieldException, IllegalAccessException { String distinguishedName = pki.getTestUser1Cert().getSubjectX500Principal().getName(); KeyPair keyPair = new KeyPair(pki.getTestUser1Cert().getPublicKey(), pki.getTestUser1CertPrivateKey()); PKICMPMessages pkiMessages = new PKICMPMessages(); pkiMessages.setPkiKeyStore(pkiKeyStoreRA); byte[] result = pkiMessages.createCertificateMessageWithLocalKey(distinguishedName, keyPair); ASN1InputStream asn1InputStream = new ASN1InputStream(result); ASN1Primitive asn1Primitive = asn1InputStream.readObject(); PKIMessage pkiMessage = PKIMessage.getInstance(asn1Primitive); // Header verification Assert.assertEquals(pkiMessage.getHeader().getPvno().getValue(), BigInteger.valueOf(2)); Assert.assertEquals(pkiKeyStoreRA.getRecipientCertificate().getSubjectDN().getName(), pkiMessage.getHeader().getRecipient().getName().toString()); Assert.assertEquals(pkiKeyStoreRA.getSenderCertificate().getSubjectDN().getName(), pkiMessage.getHeader().getSender().getName().toString()); Assert.assertNotNull(pkiMessage.getHeader().getSenderNonce()); Assert.assertNotNull(pkiMessage.getHeader().getTransactionID()); Assert.assertNotNull(pkiMessage.getHeader().getMessageTime().getDate()); // check the body // Check the tests in Bouncycastle for decoding cert request Assert.assertEquals(PKIBody.TYPE_CERT_REQ, pkiMessage.getBody().getType()); CertReqMsg[] certReqMsgs = CertReqMessages.getInstance(pkiMessage.getBody().getContent()) .toCertReqMsgArray(); Assert.assertEquals(BigInteger.ZERO.toString(), certReqMsgs[0].getCertReq().getCertReqId().toString()); Assert.assertEquals(distinguishedName, certReqMsgs[0].getCertReq().getCertTemplate().getSubject().toString()); Assert.assertArrayEquals(keyPair.getPublic().getEncoded(), certReqMsgs[0].getCertReq().getCertTemplate().getPublicKey().getEncoded()); AttributeTypeAndValue[] attributeTypeAndValue = certReqMsgs[0].getCertReq().getControls() .toAttributeTypeAndValueArray(); Assert.assertEquals(CRMFObjectIdentifiers.id_regCtrl_pkiArchiveOptions, attributeTypeAndValue[0].getType()); // Check the signature GeneralPKIMessage generalPKIMessage = new GeneralPKIMessage(result); Assert.assertTrue(generalPKIMessage.hasProtection()); ProtectedPKIMessage pkiMsg = new ProtectedPKIMessage(generalPKIMessage); ContentVerifierProvider verifierProvider = new JcaContentVerifierProviderBuilder() .setProvider(pkiKeyStoreRA.getProvider()) .build(pkiKeyStoreRA.getSenderCertificate().getPublicKey()); Assert.assertTrue(pkiMsg.verify(verifierProvider)); }
From source file:org.xipki.ca.client.impl.CmpRequestor.java
License:Open Source License
private ProtectionVerificationResult verifyProtection(final String tid, final GeneralPKIMessage pkiMessage, final X509Certificate cert) throws CMPException, InvalidKeyException, OperatorCreationException { ProtectedPKIMessage pMsg = new ProtectedPKIMessage(pkiMessage); if (pMsg.hasPasswordBasedMacProtection()) { LOG.warn("NOT_SIGNAUTRE_BASED: " + pkiMessage.getHeader().getProtectionAlg().getAlgorithm().getId()); return new ProtectionVerificationResult(null, ProtectionResult.NOT_SIGNATURE_BASED); }// ww w . j a v a 2s .c om PKIHeader h = pMsg.getHeader(); if (c14nRecipientName != null) { boolean authorizedResponder = true; if (h.getSender().getTagNo() != GeneralName.directoryName) { authorizedResponder = false; } else { String c14nMsgSender = getSortedRFC4519Name((X500Name) h.getSender().getName()); authorizedResponder = c14nRecipientName.equalsIgnoreCase(c14nMsgSender); } if (authorizedResponder == false) { LOG.warn("tid={}: not authorized responder '{}'", tid, h.getSender()); return new ProtectionVerificationResult(null, ProtectionResult.SENDER_NOT_AUTHORIZED); } } ContentVerifierProvider verifierProvider = securityFactory.getContentVerifierProvider(cert); if (verifierProvider == null) { LOG.warn("tid={}: not authorized responder '{}'", tid, h.getSender()); return new ProtectionVerificationResult(cert, ProtectionResult.SENDER_NOT_AUTHORIZED); } boolean signatureValid = pMsg.verify(verifierProvider); return new ProtectionVerificationResult(cert, signatureValid ? ProtectionResult.VALID : ProtectionResult.INVALID); }
From source file:org.xipki.ca.server.impl.CmpResponder.java
License:Open Source License
private ProtectionVerificationResult verifyProtection(final String tid, final GeneralPKIMessage pkiMessage, final CmpControl cmpControl) throws CMPException, InvalidKeyException, OperatorCreationException { ProtectedPKIMessage pMsg = new ProtectedPKIMessage(pkiMessage); if (pMsg.hasPasswordBasedMacProtection()) { LOG.warn("NOT_SIGNAUTRE_BASED: " + pkiMessage.getHeader().getProtectionAlg().getAlgorithm().getId()); return new ProtectionVerificationResult(null, ProtectionResult.NOT_SIGNATURE_BASED); }//from ww w .j a v a 2 s . co m PKIHeader h = pMsg.getHeader(); AlgorithmIdentifier protectionAlg = h.getProtectionAlg(); if (cmpControl.isSigAlgoPermitted(protectionAlg) == false) { LOG.warn("SIG_ALGO_FORBIDDEN: " + pkiMessage.getHeader().getProtectionAlg().getAlgorithm().getId()); return new ProtectionVerificationResult(null, ProtectionResult.SIGALGO_FORBIDDEN); } CmpRequestorInfo requestor = getRequestor(h); if (requestor == null) { LOG.warn("tid={}: not authorized requestor '{}'", tid, h.getSender()); return new ProtectionVerificationResult(null, ProtectionResult.SENDER_NOT_AUTHORIZED); } ContentVerifierProvider verifierProvider = securityFactory .getContentVerifierProvider(requestor.getCert().getCert()); if (verifierProvider == null) { LOG.warn("tid={}: not authorized requestor '{}'", tid, h.getSender()); return new ProtectionVerificationResult(requestor, ProtectionResult.SENDER_NOT_AUTHORIZED); } boolean signatureValid = pMsg.verify(verifierProvider); return new ProtectionVerificationResult(requestor, signatureValid ? ProtectionResult.VALID : ProtectionResult.INVALID); }
From source file:org.xipki.pki.ca.client.impl.CmpRequestor.java
License:Open Source License
private ProtectionVerificationResult verifyProtection(final String tid, final GeneralPKIMessage pkiMessage) throws CMPException, InvalidKeyException, OperatorCreationException { ProtectedPKIMessage protectedMsg = new ProtectedPKIMessage(pkiMessage); if (protectedMsg.hasPasswordBasedMacProtection()) { LOG.warn("NOT_SIGNAUTRE_BASED: " + pkiMessage.getHeader().getProtectionAlg().getAlgorithm().getId()); return new ProtectionVerificationResult(null, ProtectionResult.NOT_SIGNATURE_BASED); }/*from w w w. ja va 2 s . c om*/ PKIHeader header = protectedMsg.getHeader(); if (recipientName != null) { boolean authorizedResponder = true; if (header.getSender().getTagNo() != GeneralName.directoryName) { authorizedResponder = false; } else { X500Name msgSender = X500Name.getInstance(header.getSender().getName()); authorizedResponder = recipientName.equals(msgSender); } if (!authorizedResponder) { LOG.warn("tid={}: not authorized responder '{}'", tid, header.getSender()); return new ProtectionVerificationResult(null, ProtectionResult.SENDER_NOT_AUTHORIZED); } } AlgorithmIdentifier protectionAlgo = protectedMsg.getHeader().getProtectionAlg(); if (!responder.getSigAlgoValidator().isAlgorithmPermitted(protectionAlgo)) { String algoName; try { algoName = AlgorithmUtil.getSignatureAlgoName(protectionAlgo); } catch (NoSuchAlgorithmException ex) { algoName = protectionAlgo.getAlgorithm().getId(); } LOG.warn("tid={}: response protected by untrusted protection algorithm '{}'", tid, algoName); return new ProtectionVerificationResult(null, ProtectionResult.INVALID); } X509Certificate cert = responder.getCert(); ContentVerifierProvider verifierProvider = securityFactory.getContentVerifierProvider(cert); if (verifierProvider == null) { LOG.warn("tid={}: not authorized responder '{}'", tid, header.getSender()); return new ProtectionVerificationResult(cert, ProtectionResult.SENDER_NOT_AUTHORIZED); } boolean signatureValid = protectedMsg.verify(verifierProvider); ProtectionResult protRes = signatureValid ? ProtectionResult.VALID : ProtectionResult.INVALID; return new ProtectionVerificationResult(cert, protRes); }
From source file:org.xipki.pki.ca.server.impl.cmp.CmpResponder.java
License:Open Source License
private ProtectionVerificationResult verifyProtection(final String tid, final GeneralPKIMessage pkiMessage, final CmpControl cmpControl) throws CMPException, InvalidKeyException, OperatorCreationException { ProtectedPKIMessage protectedMsg = new ProtectedPKIMessage(pkiMessage); if (protectedMsg.hasPasswordBasedMacProtection()) { LOG.warn("NOT_SIGNAUTRE_BASED: {}", pkiMessage.getHeader().getProtectionAlg().getAlgorithm().getId()); return new ProtectionVerificationResult(null, ProtectionResult.NOT_SIGNATURE_BASED); }/*from w w w. j a v a 2s . c om*/ PKIHeader header = protectedMsg.getHeader(); AlgorithmIdentifier protectionAlg = header.getProtectionAlg(); if (!cmpControl.getSigAlgoValidator().isAlgorithmPermitted(protectionAlg)) { LOG.warn("SIG_ALGO_FORBIDDEN: {}", pkiMessage.getHeader().getProtectionAlg().getAlgorithm().getId()); return new ProtectionVerificationResult(null, ProtectionResult.SIGALGO_FORBIDDEN); } CmpRequestorInfo requestor = getRequestor(header); if (requestor == null) { LOG.warn("tid={}: not authorized requestor '{}'", tid, header.getSender()); return new ProtectionVerificationResult(null, ProtectionResult.SENDER_NOT_AUTHORIZED); } ContentVerifierProvider verifierProvider = securityFactory .getContentVerifierProvider(requestor.getCert().getCert()); if (verifierProvider == null) { LOG.warn("tid={}: not authorized requestor '{}'", tid, header.getSender()); return new ProtectionVerificationResult(requestor, ProtectionResult.SENDER_NOT_AUTHORIZED); } boolean signatureValid = protectedMsg.verify(verifierProvider); return new ProtectionVerificationResult(requestor, signatureValid ? ProtectionResult.VALID : ProtectionResult.INVALID); }